This section describes how to enable relational connections to leverage your Hadoop Single Sign-On (SSO) infrastructure.When this feature is enabled and properly configured, users can create relational (JDBC) connections that use SSO that you have already configured. 

Connections that were created before this feature is enabled continue to operate as expected without modification.

Limitations

Pre-requisites

Enable

ParameterDescription
webapp.connectivity.enableSsoKerberosDelegateSet this flag to true to enable Kerberos-based SSO connections to be created for supported connection types.

Configure

Configure JAAS file and path

ParameterDescription
webapp.connectivity.kerberosDelegateConfigPath

Path on the to the location of the JAAS configuration file required by the DataDirect driver.

NOTE: The default location is listed below. You may wish to move this file to a location outside of the to ensure that the file is not overwritten during upgrades.

More information on this file is provided below.

JAAS file

For connections that support Kerberos-delegated authentication, the underlying driver supports a JAAS file in which you can provide environment-specific configuration to the driver. As needed, you can modify this file. 

Connection TypeDefault path to JAAS file
SQL Server%(topOfTree)s/services/data-service/build/conf/kerberosdelegate.config 

Example JAAS file for SQL Server

Below is an example file, where you must apply the Kerberos global keytab and principal values that are to be used to authenticate to use the Kerberos-delegated connections of this type:

trifacta_jaas_config {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  doNotPrompt=true
  keyTab="</absolute/path/to/trifacta_jdbc_sso.keytab>"
  principal="<principal_name>";
};
 
JDBC_DRIVER_01 {
  com.sun.security.auth.module.Krb5LoginModule required debug=false
  useTicketCache=true;
};

where:

Specify Kerberos configuration file

On the , locate the following file:

<root>/etc/krb5.conf


If it doesn't exist, create it with the following content, some of which you must specify:

[libdefaults]
    default_realm = <my_default_realm>
    forwardable = true # Important that this is set!
  
[realms]
    <my_default_realm> = {
        kdc = <kdc_domain>
    }
  
[domain_realm]
    <my_domain> = <my_default_realm>


SettingDescription
default_realmSet this value to your default Kerberos realm.
forwardableThis value must be set to true.
kdc

For each realm that you create, you must create an entry in [realms].

For the kdc entry, apply the KDC domain that the JDBC connection should use.

my_domain

For each domain to which the Kerberos delegation applies, you must create an entry in [domain_realm].

Entries should look like the following:

trifacta.com = TRIFACTA.COM


Modify the location of the Kerberos configuration file

If you need to move the location of the file from the default one, please complete the following:

Steps:

  1. If you haven't already done so, copy the file from its current location to its preferred location. 
  2. Specify the path to the new location in the following parameter:

    "webapp.connectivity.krb5Path": "/etc/krb5.conf";


  3. Save your changes.

Example Setup

The following example uses the default Kerberos realm to set an SSO connection to a SQL Server instance. This example is intended to demonstrate one way in which you can set up your SSO connections.

Steps:

  1. Create the :

    1. Form: HTTP/serviceprincipal@REAM 
    2. Enable this flag: ok_to_auth_as_delegate 
    3. Example:

      kadmin -q "addprinc -randkey +ok_to_auth_as_delegate HTTP/serviceprincipal"
      kadmin -q "addprinc -randkey +ok_to_auth_as_delegate HTTP/serviceprincipal@REALM"


    4. For more information on delegation flags, see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/kadmin_local.html
  2. Generate a keytab for the .

  3. Register the  for Microsoft Sql Server instance:

    1. Enable this flag: ok_as_delegated 
    2. Example:

      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>:<port>"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>:<port>@REALM"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>"
      kadmin -q "addprinc -randkey +ok_as_delegate MSSQLSvc/<FQDN>@REALM"


    3. For more information on setting this flag, see https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-2017.
  4. Create a linked SQL Server account: 

    1. Account must have the same name as the end-user principal. 

    2. Account needs connect permissions at least.

NOTE: If you are using LDAP/AD SSO, you can register all of the above SPNs using AD mechanisms. You do not have to use the delegation flags. Delegation can be managed through the UI for the service account.

Use

When you create a new connection of a supported type, you can select the Kerberos Delegate credentials type. When selected, no username or credentials are applied as part of the connection object. Instead, authentication is determined via Kerberos authentication with the cluster.

Sharing

When sharing SSO connections, the credentials for the connection cannot be shared for security reasons. The Kerberos principal for the user with whom the connection is shared is applied. That user must have the appropriate permissions to access any required data through the connection. See Overview of Sharing.